Figure 8-4 ISA Server 2004 Management Console [View full size image] To perform remote administration of ISA Server 2004 firewalls using the management console, the management workstation must be added to the Enterprise Remote Management Computers (to manage all firewalls in the enterprise) or the Remote Management Computers (to manage a single firewall in the enterprise) computer set, and then remote management must be enabled The easiest way to this is to right-click the Firewall Policy object in the management console and choose Edit System Policy Under the Remote Management configuration group, select Microsoft Management Console and ensure that Enable is checked on the General tab Next, click the From tab and choose the appropriate group that you want to update, as shown in Figure 8-5, and then click Edit Figure 8-5 Modifying Remote Management Rules [View full size image] At the Properties screen, add, edit, or delete systems that will be allowed to perform remote management on the firewalls When you have finished, click OK to close any open windows, returning to the management console Before any configuration changes are actually performed on the ISA servers, the last task is to select to either apply or discard the changes, as shown in Figure 8-6 Figure 8-6 Applying Configuration Changes [View full size image] Note Keep in mind that any time you are applying or discarding changes you make, if you have made multiple changes then you are selecting to apply or discard all of the changes, or in the event of firewall policy changes, you are selecting to apply or discard the entire firewall policy Make sure you are comfortable with any and all changes you have opted to make before you decide to click Apply To understand how the Microsoft ISA Server 2004 firewall works, it is important to identify the specific functions that an ISA Server 2004 firewall can perform: • • • • • • Filter outbound access Publish internal resources Perform application filtering Configure system policy rules Configure client access methods Cache web data Filtering Outbound Access ISA Server 2004 manages and applies all rules in what is known as a firewall policy Two general classifications of rules, publishing rules, are used to define access from external sources to internal/protected resources, to external destinations Access rules consist of the following policy elements: • • • • • • • Rule action This defines whether traffic should be allowed or denied when the rule conditions are met Protocols This is where you specify the protocols to which the rule applies These can be any Layer (IP level) protocol, any Layer (transport layer) port number, or any ICMP properties Source This is where you define the source of the traffic that the rule will apply to, typically an internal network Destination This is where you define the destination of the traffic that the rule will apply to, typically an external network User sets This is where you define the users that the rule will apply to To take advantage of user sets, you cannot be using the SecureNAT firewall client because it has no means of performing authentication Content types This is where you define the Multipurpose Internet Mail Extensions (MIME) types and file extensions that the rule will apply to Content types can only be specified and used with rules for the HTTP and tunneled FTP (FTP that is handled by the Microsoft ISA Server 2004 web proxy filter) protocols, allowing you to define what specific content will be permitted (for example, denying exe extensions in URL requests) Schedules This is where you define the schedule during which the rule will be applied Schedules only apply to new connections; existing connections that are in place outside of the hours that the schedule has defined are not disconnected automatically Building the access rule is a largely wizard-driven process, with the exception of configuring the content types and schedule, which must be done by editing the properties of an existing rule Just right-click the firewall policy and choose New > Access Rule, as shown in Figure 8-7 Figure 8-7 Creating an Access Rule [View full size image] This will begin the New Access Rule Wizard At the Welcome screen, assign an appropriate access rule name and click Next At the Rule Action screen, select to Allow or Deny the traffic as appropriate and click Next At the Protocols screen, you can select to apply the rule to All Outbound Traffic, Selected Traffic, or All Outbound Traffic Except Selected Traffic If you choose the latter, you must click Add to specify the protocols that the rule applies to For example, Figure 8-8 shows a rule being created that applies to the HTTP protocol only Figure 8-8 Protocols Screen [View full size image] When you have finished, click Next to be presented with the Access Rule Sources screen Click Add to specify the traffic source that this rule will apply to Figure 8-9 shows the Add Network Entities screen that is accessed by clicking Add Figure 8-9 Add Network Entities Screen After you have specified the appropriate source, click Next to be taken to the Access Rule Destinations screen Once again, click Add and specify the destination traffic that the rule will apply to When you have finished, click Next At the User Sets screen, specify the users that the rule will apply to Keep in mind that only web proxy clients and firewall clients perform authentication; so if you want the rule to apply to everyone, including unauthenticated users, just accept the default value of All Users, as shown in Figure 8-10 Figure 8-10 User Sets Screen [View full size image] Review the rule configuration and click Finish At this point, the rule has been created but not applied to the firewall Just click Apply in the MMC as previously discussed If you need to change any of the rule settings, including editing the content type or schedule configuration, just right-click the rule and choose Properties or Edit System Rule as appropriate for the corresponding rule  ... to click Apply To understand how the Microsoft ISA Server 2004 firewall works, it is important to identify the specific functions that an ISA Server 2004 firewall can perform: • • • • • • Filter... client access methods Cache web data Filtering Outbound Access ISA Server 2004 manages and applies all rules in what is known as a firewall policy Two general classifications of rules, publishing... specified and used with rules for the HTTP and tunneled FTP (FTP that is handled by the Microsoft ISA Server 2004 web proxy filter) protocols, allowing you to define what specific content will be